The Help Desk demo, Part 2–Azure Active Directory

Authentication to the various Office 365 APIs and access points requires some effort.  First, we need to create our application.  Then we need to assign access to the individual applications.  Finally, we need to generate and install a certificate for authentication.

Creating the application

To create the application, we first need to make our way to the Azure Portal and into Active Directory.  Then, click the Applications tab and choose Add an application:

image

Then, select “Add an application my organization is developing”:

image

Then, give it a name and click the right arrow:

image

Enter the URL of the target location of the website so that Azure AD knows how to route users for authentication and such.  Also enter a unique App ID:

image

After a while, if all goes well, we’ll be presented with the Quick Start screen for the new app.  Click the Configure tab at the top.

image

Assign Access to the Individual Applications

Now that we’ve created our app, we need to assign the necessary permissions.  Scroll down to the bottom of the page and find the ‘permissions to other applications section’

image

In the ‘Windows Azure Active Directory’ application, select the Application Permissions drop down and check ‘Read directory data’

image

Then, click ‘Add application’.  In the window that opens, click the plus sign next to ‘Microsoft Graph’ and ‘Office 365 SharePoint Online’ and then click the check mark in the bottom right hand corner.

image

This should add the three application permissions to our own application.  Expand the ‘Application Permissions’ for Microsoft Graph and select ‘Read all users’ full profiles’, ‘Read directory data’, ‘Read all groups’, and ‘Read and write mail in all mailboxes’, like so:

image

Then expand ‘Application Permissions’ for Office 365 SharePoint Online and select ‘Read items in all site collections’:

image

Finally, click Save:

image

Generate and install a certificate

When authenticating to Azure Active Directory for the Microsoft Graph, a standard ClientId/ClientSecret seems to work just fine.  However, when authenticating for Office 365 SharePoint Online, a certificate is apparently required.  For the sake of this instruction, we’ll use a self-signed certificate.  However, in a real world production environment, but sure to use an certificate from an actual trusted authority.

First, launch the Visual Studio Developer Command Prompt as an administrator.  Navigate to the location that we’d like to store our certificate (we can always move it later, too).  Then run the command ‘makecert –r –pe –n “CN=BusinessApps.HelpDesk” –ss My –len 2048 BusinessApps.HelpDesk.cer’

image

Next, copy the ClientId of your application from the Azure Active Directory page:

image

Then, launch PowerShell and run the following script, replacing “<cert path>” with the location of the certificate from above and <client ID> with the ClientId that we just copied:

Connect-MsolService
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$cer.Import(“G:\Jonathan\GitRepos\PnP\Solutions\BusinessApps.HelpDesk\BusinessApps.HelpDesk\Certificates\BusinessApps.HelpDesk.cer”)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert)
New-MsolServicePrincipalCredential -AppPrincipalId “b5154e8f-e4cb-4124-8424-f5ec1981f518” -Type asymmetric -Value $credValue -Usage verify

image

Note:  these steps were largely borrowed from http://blogs.msdn.com/b/microsoft_azure_simplified/archive/2015/03/23/getting-started-using-azure-active-directory-aad-for-authenticating-automated-clients-c.aspx

While we’re at it, we’ll also copy that ClientId into the AzureId app setting for the application in the web.config file (I like to use AzureId instead of ClientId since SharePoint clients can automatically pull ClientId values from the web.config).

image

Now that the certificate has been added to our Azure application, we need to install it in the Personal cert store.  Start by navigating to the file location of the certificate above and double click it.  In the window that opens, click Install Certificate…

image

Clicking ‘Install Certificate’ will launch the Certificate Import Wizard.  Leave the ‘Current User’ location selected and then click ‘Next’ on the Certificate Import Wizard screen.

image

On the next screen, select ‘Place all certificates in the following store’ and click ‘Browse’:

image

In the window that opens, select ‘Personal’ and click ‘OK’

image

This will add ‘Personal’ to the ‘Certificate store’ box.  Click Next:

image

Finally, click finish:

image

If all went well, the certificate will be imported successfully:

image

Now that the certificate has been imported, we also need to retrieve the thumbprint of the certificate so that our source code can find it.  Going back to the certificate window, select the Details tab, then scroll down and find the Thumbprint field.  Highlight the value in the field and Ctrl+C to copy the value:

image

Then, go into the web project and populate the value into the web.config CertThumbprint app settings for the application (be sure to remove the spaces, as well):

image

And there we have it!  An application that has authority to read/write various bits of data against Azure Active Directory, SharePoint Online, and Microsoft Graph.

The Help Desk Demo

The entire source code for the Help Desk demo can be found here https://github.com/OfficeDev/PnP/tree/dev/Solutions/BusinessApps.HelpDesk/, in the Office 365 Dev PnP GitHub repository.

Leave a Reply

Your email address will not be published. Required fields are marked *